Legal Software and Security

While I left it out of my article on legal practice management software, there was more than just frustration with Clio’s inefficient workflow (to use a terrible word – Clio is just inefficient).  The issue I had was the security of my data.  I had always assumed that Clio, like other cloud providers, had it in their interest to keep my data safe.  Then I allowed a third party software vendor that integrates with Clio’s API (application programming interface – a mechanism for allowing third parties to program their software to use the data in Clio).  

Essentially, Clio’s API is structured so that once a vendor is authorized by a Clio user to access that user’s data (and it is simple to authorize, just click a big button), that vendor has virtually unfettered access to all data until it is revoked. Clio has no control over how that vendor will then use the data.  In my case, the vendor took my authorization for one software program he had developed and changed the name to another software program.  Thus, I had authorized one thing, but a totally separate product (with totally different functionality) had access to my firm’s data. 

Clio’s API security mechanisms do not provide you any control over what data is shared.  For example in my case, where I had allowed access to a calendar reminder service, granular data permissions would have prevented the vendor from accessing my billing data and sending out unauthorized billing reminders (this is exactly what happened).  Furthermore, Clio’s API allowed the vendor to avoid having its own login mechanism, so you could not cancel the clio integration and still access your account. 

In my case, the vendor also sent out emails to my clients to remind them of bills to be paid without my authorization.  This was a flaw in the third party software, which actually did things that I had never permitted. 

I tell this story because it is important to avoid trusting any website that happens to integrate with a cloud vendor’s API.  Just because a company programs to access data, does not mean that the vendor is trustworthy.  It is up to cloud vendors and the user to make sure things are secure.  Clio, unfortunately, did not take these concerns seriously enough.  My conversations with them let me to believe that they did not understand the serious threat to law firm data that they had created. 

It was this incident that led me on my search for new software. 


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s